Author Topic: Security Considerations  (Read 2828 times)

Dread Pirate Roberts

  • Captain
  • Administrator
  • *****
  • Posts: 566
  • Karma: +552/-41
    • View Profile
    • Personal Message (Offline)
Security Considerations
« on: October 08, 2013, 06:13:08 am »
As many of you are signing up, I would like to remind everyone that you should not reuse your password from either Silk Road marketplace or the forums. We have to now consider those avenues compromised and all information on their database may be available to the law enforcement officials. As a result, a new password is simply good practice. I would further highlight the importance of regular password changes and maintaining at least 8 characters in a password to resist any brute force attempts on your account. We have taken precautions against such attacks but your account will only ever be as secure as you are.
« Last Edit: October 08, 2013, 07:58:16 pm by Dread Pirate Roberts »
Quote 23: Criticism has plucked the imaginary flower from the chain not so that man may continue to bear the chain without consolation or fantasy but so that he may throw off the chain and cull the living flower.

Maestro

  • Newbie
  • *
  • Posts: 29
  • Karma: +1/-2
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #1 on: October 08, 2013, 07:49:22 pm »
Interesting edit. I wonder if it was intentional that you signed it like that before the edit or if it was an accident as a result of habit. Either way, I thought you were signing as DPR now, regardless of your identity.

flwrchlds9

  • Full Member
  • ***
  • Posts: 198
  • Karma: +52/-9
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #2 on: October 08, 2013, 09:09:09 pm »
Interesting.

Not possible to have the original staff key sign your key?

Also the "wide marketing push" sounds concerning.

Welcome and cheers however.
** LOOSE LIPS   SINK SHIPS **

boysen

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +5/-1
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #3 on: October 08, 2013, 09:24:53 pm »
Edited the OP, good move. You probably shouldn't do that again. :)

sevensix76

  • Full Member
  • ***
  • Posts: 108
  • Karma: +12/-9
  • My tendency for dependency is offending me
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #4 on: October 08, 2013, 09:38:44 pm »
Got the feeling I missed something important here;-)
Geezers need excitement
if their lives don't provide em they stay inside violence
common sense simple common sense

Maestro

  • Newbie
  • *
  • Posts: 29
  • Karma: +1/-2
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #5 on: October 08, 2013, 09:39:43 pm »
Edited the OP, good move. You probably shouldn't do that again. :)
Unless it was intentional, serving the purpose to make use believe it was an accident.

Vy7wf

  • Newbie
  • *
  • Posts: 46
  • Karma: +2/-0
  • ED IS THE TRUE PATH TO NIRVANA!
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #6 on: October 09, 2013, 02:38:07 am »
Official fall guy?
Ed is the standard text editor.

The President

  • Hero Member
  • *****
  • Posts: 557
  • Karma: +256/-31
  • PLEASE USE PGP WHEN MESSAGING ME!
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #7 on: October 09, 2013, 03:00:18 am »
ahh smart thinking DPR. Password has been changed!
Checkout The President's Medicinal Cannabis Thread: http://silkroad5v7dywlc.onion/index.php?topic=466.0

I really am Barack Hussein Obama II. Anyone else on these forums with my name is a fraud.

gnbome

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
  • NBOMe gnomE
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #8 on: October 10, 2013, 02:06:08 am »
Edited the OP, good move. You probably shouldn't do that again. :)
Unless it was intentional, serving the purpose to make use believe it was an accident.

What we used to call Information Warfare back in the day!

CabinBoyNathanial

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #9 on: October 10, 2013, 03:11:45 am »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It is basic good form to not re-use passwords on any sites, but damn especially on sites like this.

Unique, nonsense passwords everywhere. It is a pain in the ass, but that's what we need to do.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)

iQIcBAEBAgAGBQJSVhqtAAoJEIcwU1loxKLo0akP/juoeFMKRSqtG/jpYJ5oHu/1
7z1Eb5ThbBtbIltSd8uuQb7Zi9SLciRrt9vHG5KhCOO2UUYgtQi0V8qXLVqkbU1h
EN03cqoPWc5F0u0T034ZCl0YPM+WGx+xvbNZMN1AjxpEuIrrL63ErLfyFjb2ySxS
vWbU6kXXT2PzMOsW/HRqttQoU1a+rCshB2QywqXS8WH8687VaFzARJfbbH9bDFYn
JBOoNBW9fqONTSHswRW7PCA1vErEDUrWsOKgtFYTPkWBc/AA/S89E0wUyhLqoUIv
q9kVUlVdzhwtkJv3DjQelYK0oaT3qvlSBf3QnVwEJHOPoixuOn1wnRa5x05Pq+p6
NErZXInsnObFXHjO1b6k8zhdKTmhfCWNbOzC5YBife/OIP/aQQWmDUdADl/UAb//
ZV17PbYBgdifh6iudlOKSpP+qRda9apUiUGyX5mW7Wq5ODc4OYpiM3s6l3JvXOj3
pdFhSVh7InG0I5QRF73YNh/saE6hRU0Onilg7YKs4puOaL2ozM+Hzl0WvC9IKPd5
X804MspxQAFXEeURZ1MXHE1TPhkXsYYTDE2NCCZDvUtZkJdKfViGejT72444Zx4A
C4DwU2qnTYo9ub8ZKDgCTnWsN8884djCHyOjl+avrFFx7aOlj/B2YnWpNBCO9W5K
hRLEJ+oMVUr5a/8QFQI7
=GrU1
-----END PGP SIGNATURE-----

MisterSister

  • Sr. Member
  • ****
  • Posts: 304
  • Karma: +84/-23
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #10 on: October 10, 2013, 03:37:18 am »
Interesting edit. I wonder if it was intentional that you signed it like that before the edit or if it was an accident as a result of habit. Either way, I thought you were signing as DPR now, regardless of your identity.
Can you PM me what I missed?
Let he who is without sin cast the first stone.

flwrchlds9

  • Full Member
  • ***
  • Posts: 198
  • Karma: +52/-9
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #11 on: October 10, 2013, 04:49:39 am »
It is no important.

And never use the same password anywhere. Ever.
** LOOSE LIPS   SINK SHIPS **

stem

  • Full Member
  • ***
  • Posts: 111
  • Karma: +17/-21
  • I love weed
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #12 on: October 26, 2013, 11:58:10 pm »
What above said. and change password every once in a while.

BlueGiraffe

  • Vendor
  • Sr. Member
  • *****
  • Posts: 338
  • Karma: +77/-10
  • ♥ Proper GHB Vendor ♥
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #13 on: October 27, 2013, 12:18:47 am »
As many of you are signing up, I would like to remind everyone that you should not reuse your password from either Silk Road marketplace or the forums. We have to now consider those avenues compromised and all information on their database may be available to the law enforcement officials. As a result, a new password is simply good practice. I would further highlight the importance of regular password changes and maintaining at least 8 characters in a password to resist any brute force attempts on your account. We have taken precautions against such attacks but your account will only ever be as secure as you are.

I would think well over 8 characters for a password, like a minimum of 15, would be more appropriate...

BG
Apologies for downtime - have had major IRL stuff to deal with - have not left the building - back soon...  BG

SR: http://silkroad6ownowfk.onion/users/bluegiraffe
The Hub: http://thehubaoydxrommh.onion/index.php?topic=261.0

anontoker

  • Hero Member
  • *****
  • Posts: 1137
  • Karma: +214/-33
  • Resident Anonie
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #14 on: October 27, 2013, 01:12:44 am »
I re-use phrases but not unique characters. ;)

I also have groups of 8 char/num/sym passwords in memory.

Eventually I am doing away with any and all written password sheets which I really, really despise.
-=Supported vendors=-
NwNugz
 Items:http://silkroad6ownowfk.onion/users/nw-nugz/items
 MoodyMayhem: http://silkroad6ownowfk.onion/users/moodymayhem/item

horse

  • Full Member
  • ***
  • Posts: 129
  • Karma: +26/-8
  • -smack.junk.skag.tar.horse-
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #15 on: October 27, 2013, 01:19:16 am »
thank you based DPR
another quality post brought to you by the (probably drug-induced) ramblings of your friendly, neighborhood horse!

horse, it's what's for breakfast! ...and lunch, and dinner...
never forget to shoot your three square "meals" a day, boys and girls!

CLKR

  • Full Member
  • ***
  • Posts: 106
  • Karma: +8/-3
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #16 on: October 27, 2013, 02:48:43 pm »
As well as not reusing passwords (for anything, if you get nicked they'l get all your clearnet passwords to try etc) its also best not to have them saved in a notepad document on your pc etc (happens much moreo ften than you'd think), keep them memorized only! Or is you're forgetful write a hint by hand under a friends table or something, somewhere itd never be found accidentally or could be linked back to you.

Milkdud

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +7/-49
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #17 on: October 27, 2013, 05:29:38 pm »
Um i dont know what the hell he edited but if it was any identifying information LEO now have it. They probably crawl this forum and harvest any and every change. People need to stop protecting insecure practices, especially from the guy whose running the site.


And you DPR, if you care so much about peoples security in light of all the info LEO now have from the old site, why are you letting old vendors reuse their ID's even though LEO now have a list of every bitcoin addressed they used in their account? All it takes is one straight no-mix cashout to be located and flipped. Im started to have doubts about the competency of our leadership.

Dread Pirate Roberts

  • Captain
  • Administrator
  • *****
  • Posts: 566
  • Karma: +552/-41
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #18 on: October 27, 2013, 10:58:03 pm »
Um i dont know what the hell he edited but if it was any identifying information LEO now have it. They probably crawl this forum and harvest any and every change. People need to stop protecting insecure practices, especially from the guy whose running the site.


And you DPR, if you care so much about peoples security in light of all the info LEO now have from the old site, why are you letting old vendors reuse their ID's even though LEO now have a list of every bitcoin addressed they used in their account? All it takes is one straight no-mix cashout to be located and flipped. Im started to have doubts about the competency of our leadership.

Once vendors are verified, they have an option to completely get a new identity so that not even staff will know who they are - only I will. If a vendor wants to start fresh and pay the bond to avoid even me knowing they can also do that.
Quote 23: Criticism has plucked the imaginary flower from the chain not so that man may continue to bear the chain without consolation or fantasy but so that he may throw off the chain and cull the living flower.

Thirtyrox

  • Vendor
  • Sr. Member
  • *****
  • Posts: 271
  • Karma: +24/-12
  • Nosce te Ipsum!
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #19 on: October 28, 2013, 03:00:00 am »
As many of you are signing up, I would like to remind everyone that you should not reuse your password from either Silk Road marketplace or the forums. We have to now consider those avenues compromised and all information on their database may be available to the law enforcement officials. As a result, a new password is simply good practice. I would further highlight the importance of regular password changes and maintaining at least 8 characters in a password to resist any brute force attempts on your account. We have taken precautions against such attacks but your account will only ever be as secure as you are.

I would think well over 8 characters for a password, like a minimum of 15, would be more appropriate...

BG

+1 to this! My passwords on super sensitive situations have always been 18+ characters, and a mixture of upper/lower case letters, numbers, and symbols. Call me paranoid, but when it comes to something that may have potential to incriminate me legally, I just don't see a reason to skimp on something so simple as a password.
OG SR1 Vendor since mid 2012

http://silkroad6ownowfk.onion/users/thirtyrox
$30 30mg Roxies
$2.35 2mg Xanax Bars

ColorBlack

  • Jr. Member
  • **
  • Posts: 62
  • Karma: +12/-5
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #20 on: October 28, 2013, 03:04:45 am »
symbols?! damn TR, good op-sec! I gotta get me some symbols too. I was thinking something like 'frosty@frosty'...
yeah yeah.. too soon.. :-X

Thirtyrox

  • Vendor
  • Sr. Member
  • *****
  • Posts: 271
  • Karma: +24/-12
  • Nosce te Ipsum!
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #21 on: October 28, 2013, 03:25:05 am »
symbols?! damn TR, good op-sec! I gotta get me some symbols too. I was thinking something like 'frosty@frosty'...
yeah yeah.. too soon.. :-X

;)  PM sent btw!

Peace!
« Last Edit: October 28, 2013, 03:25:53 am by Thirtyrox »
OG SR1 Vendor since mid 2012

http://silkroad6ownowfk.onion/users/thirtyrox
$30 30mg Roxies
$2.35 2mg Xanax Bars

olmate

  • Newbie
  • *
  • Posts: 42
  • Karma: +2/-0
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #22 on: October 28, 2013, 04:19:59 am »
Does anyone else here know about password cards? Just google it. You print a unique credit-card sized bit of paper (with an identification code to look it up if you ever lose it). This has a grid of letters numbers (and, I believe, symbols, if you want). The idea is you memorise a simple rule (eg 4left4down4diagonal(up,right)). Now you NEVER share or record the rule - if it is simple, you should never need to record it.
Then, you can write the coordinate of the first character of your password. So what if someone finds it. They don't know the rule, they have no idea what the password could be.
You can use the same card for as many passwords as you want. Why not?
Oh, NB, take care to preserve the unique identifying code of your password card, so that if you lose it/put it through the washing machine/whatever, you don't lose ALL your passwords!
OH, and, I'm pretty sure there's an app for your phone, if you don't want to carry around a piece of paper.

blue

  • Newbie
  • *
  • Posts: 21
  • Karma: +6/-5
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #23 on: October 28, 2013, 11:28:36 pm »
Always have a unique core password that you can remember for each login and encryption, at least 12 characters long with small, big, numbers and special characters.
It might be hard to remember at first but when you have typed it several times it will stick.

Then make the password bigger with easy to remember patterns on your keyboard like olmate says. Or just fill in another 15 characters like "KKKKKKKKKKKKKKK".
Your password is now already stronger and you will not forget it as easy as a more random password.
Once you get used to create and remember these passwords they will evolve and get better and better.

Your passwords is one of the most important things you have to protect yourself, your account, your encryption, your bitcoins and everything.
You are smart! You can create and remember a secure password! ;)
Remember that and never allow yourself to sink to the low level of dumb lazy people.

wishihada2jz

  • Full Member
  • ***
  • Posts: 138
  • Karma: +56/-5
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #24 on: October 29, 2013, 08:25:59 am »
Changing passwords often is just good OPSEC and everyone should start shifting towards taking any measures possible to increase security. Using a pass "phrase" instead of a pass "word" is always a good basic starting point. Song lyrics work nicely. Or movie quotes, so long as your username doesn't reference the film (hey, would just make the guessing pool smaller). This is just one small tiny thing we can all do. Don't need a degree in programming to make a complex passphrase :)

MrPharmacist

  • Sr. Member
  • ****
  • Posts: 443
  • Karma: +72/-16
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #25 on: October 29, 2013, 10:34:05 am »
Remembering a really long password isn't hard. you could use the lyrics of a song you know off by heart for example then chuck your first ever phone numbers in there randomly or some shit. One of the Pirate Bay founders knew the first 100 decimal digits of PI by heart which are:  3.14159 26535 89793 23846 26433 83279 50288 41971 69399 37510 58209 74944 59230 78164 06286 20899 86280 34825 34211 70679

and I think he may have even used that as a password as he mentioned regularly typing it on his keyboard from memory in the PB documentary.

However he's also the one who didn't encrypt his computer hard drive if memory serves so....you need to dot your security i's and cross your T's no matter how good and unique your password...

There's a million crazy tricks to remember shit like that.

I bet loads of geeks use Pi as a password though so instead of PI you could simply use a long stack of randomly-chosen numbers with a few capital and small case letters thrown in. Here's a wiki how on remembering long lists of numbers from the CLEARNET: http://www.wikihow.com/Memorize-Pi

I can barely remember my old phone numbers Lief !!! ha ha x
"Uh, what is the Soup Du Jour?"

"It's the Soup of the Day."

"Mmmm. That sounds good. I'll have that."

40005a

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +7/-2
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #26 on: October 31, 2013, 09:02:09 pm »
I've found it's pretty easy to make many unique passwords with a length of 30+ characters, always with lots of symbols mixed in of course, of course. You just need to find a system that works for you and, practice, practice, practice.
FYI man, alright. You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984? Yeah right, man. That's a typo. Orwell is here now. He's livin' large. We have no names, man. No names. We are nameless!

MrPharmacist

  • Sr. Member
  • ****
  • Posts: 443
  • Karma: +72/-16
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #27 on: November 01, 2013, 12:29:49 am »
I've found it's pretty easy to make many unique passwords with a length of 30+ characters, always with lots of symbols mixed in of course, of course. You just need to find a system that works for you and, practice, practice, practice.

I agree, working out a password system is the way forward.  I have them written down in 'reminder code'.  i.e. words which remind me of the password.  For example if my password was: "brown1977Taylor1998cunt1kAfrica",  my reminder code would be:

Login: MisterP
Password: firstcarYEARMaidenGRADrudeZX81Honey

When reading the reminder, I would know the following:

'first car' always refers to the colour = brown
'YEAR' is always the year after I was born = 1977
maiden is mums maiden name = Taylor
GRAD is always the year before I graduated from Uni = 1998
rude always = cunt
ZX81 was my first ever computer and always  = 1k (that's how much memory it had!)
Honey is where my honeymoon was, so always = Africa

So these reminders  / triggers would be enough to jog my memory on the order of the password components.... but only I would know what they mean.

After enough logins I tend to memorize the important p-words anyway,  but the reminders are just there in case of amnesia.....

Find a system that works for you, and one that is interchangeble so you can change it up from time to time....
"Uh, what is the Soup Du Jour?"

"It's the Soup of the Day."

"Mmmm. That sounds good. I'll have that."

Nightcrawler

  • Guest
Re: Security Considerations
« Reply #28 on: November 01, 2013, 02:59:54 am »
I've found it's pretty easy to make many unique passwords with a length of 30+ characters, always with lots of symbols mixed in of course, of course. You just need to find a system that works for you and, practice, practice, practice.

I agree, working out a password system is the way forward.  I have them written down in 'reminder code'.  i.e. words which remind me of the password.  For example if my password was: "brown1977Taylor1998cunt1kAfrica",  my reminder code would be:

Login: MisterP
Password: firstcarYEARMaidenGRADrudeZX81Honey

When reading the reminder, I would know the following:

'first car' always refers to the colour = brown
'YEAR' is always the year after I was born = 1977
maiden is mums maiden name = Taylor
GRAD is always the year before I graduated from Uni = 1998
rude always = cunt
ZX81 was my first ever computer and always  = 1k (that's how much memory it had!)
Honey is where my honeymoon was, so always = Africa

So these reminders  / triggers would be enough to jog my memory on the order of the password components.... but only I would know what they mean.

After enough logins I tend to memorize the important p-words anyway,  but the reminders are just there in case of amnesia.....

Find a system that works for you, and one that is interchangeble so you can change it up from time to time....

The problem with this system is that it depends on information that you know, or that is discoverable about you.  If you should ever be raided, you can be certain that dictionary attacks will be mounted against your encrypted data based on your personal information. As evidence of this, I would refer you to Brian Krebs' excellent article in the Washington Post:

DNA Key to Decoding Human Factor
Secret Service's Distributed Computing Project Aimed at Decoding Encrypted Evidence
By Brian Krebs
washingtonpost.com Staff Writer
Monday, March 28, 2005; 6:48 AM

http://www.washingtonpost.com/wp-dyn/articles/A6098-2005Mar28.html (clearnet)

The way to defeat any such system is to choose passphrases that are random. I recommend Diceware: http://www.diceware.com/  (clearnet)

DIceware passphrases are chosen by means of a random physical process: dice rolls.  Words are chosen from the Diceware list, based on the results of a 5-dice roll.     

What Is Diceware?

Diceware™ is a method for picking passphrases that uses dice to select words at random from a special list called the Diceware Word List. Each word in the list is preceded by a five digit number. All the digits are between one and six, allowing you to use the outcomes of five dice rolls to select one unique word from the list.

Here is a short excerpt from the Diceware word list:

 16655 clause
 16656 claw
 16661 clay
 16662 clean
 16663 clear
 16664 cleat
 16665 cleft
 16666 clerk
 21111 cliche
 21112 click
 21113 cliff
 21114 climb
 21115 clime
 21116 cling
 21121 clink
 21122 clint
 21123 clio
 21124 clip
 21125 clive
 21126 cloak
 21131 clock

The complete list contains 7776 short English words, abbreviations and easy-to-remember character strings.

Because the words are chosen based on random dice rolls, it is impossible for an opponent to know which words have been chosen, and in what order. Therefore, even if an opponent knew for certain that you had used Diceware, and that the length of your passphrase was 10 words, they would still be required to brute-force your passphrase. A 10-word Diceware passphrase contains 129-bits of entropy, or about twice the entropy of the 128-bit ciphers used in PGP/GPG, i.e. AES128, IDEA and CAST5. (FWIW, CAST5 is used by PGP/GPG to protect your private key.)

Your passphrase is your absolute, last-ditch line of defense -- if you're going to use one, make it a good one, one that the authorities can neither guess nor brute-force.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.


MrPharmacist

  • Sr. Member
  • ****
  • Posts: 443
  • Karma: +72/-16
    • View Profile
    • Personal Message (Offline)
Re: Security Considerations
« Reply #29 on: November 01, 2013, 09:20:11 am »
+1 to you Nightcrawler.  You've enlightened me with regards to Diceware  This looks like a far more robust method of password selection.

I guess my method is ample for a buyer of personal amounts of drugs though.   Have a great weekend.

cheers,

Mr P
"Uh, what is the Soup Du Jour?"

"It's the Soup of the Day."

"Mmmm. That sounds good. I'll have that."